Moses Mendoza (moses@puppetlabs.com) reports:
CVE-2013-1655 - Unauthenticated remote code execution risk
* Affected versions: 2.7.0 and greater
* Affects puppet masters running ruby 1.9.3 and up
* Patched versions: 2.7.x, 3.1.x
A bug in Puppet allows unauthenticated clients to send requests to the
puppet master, and have the master load code in an unsafe manner. This
has the potential for causing problems such as described in the Rails
CVE-2013-0156, though we have not identified an exploit at this time.
It only affects users whose puppet masters are running ruby 1.9.3 and
above.
External References:
https://puppetlabs.com/security/cve/cve-2013-1655/